Hi all,
I’ve noticed a bit of an issue with maintaining idempotency with iam and iam_policy modules.
Consider the following:
- name: IAM policy
iam_policy:
iam_type: role
iam_name: myrole
policy_name: mypolicy
state: absent
- name: IAM role
iam:
iam_type: role
name: myrole
state: absent
If i run this playbook then it works correctly - the policy is removed, followed by the role.
However, if i now rerun this playbook then the iam_policy will now fail with “The role with name myrole cannot be found.”
If I just leave out the iam_policy call then i can never delete the role because it will fail with “Cannot delete entity, must delete policies first.”
So, best way to solve?
I’ve come up with 2 ways…
-
Modify iam_policy - Consider that if the role is not available when iam_policy looks it up then it is safe to assume that the policy is absent so rather than failing we just exit
-
Modify iam - Add a parameter to iam to remove any attached policy before the role removal is attempted
I would certainly lean towards (1) but i open up the floor…